Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- param(
- [string] $username,
- [string] $filename,
- [string] $servername
- )
- # Logging
- # (Unterschiedliche EventIDs werden bisher nicht unterstützt)
- function log ([string] $text) {
- Write-EventLog –LogName Application –Source "block-ransomware" –EntryType Warning –EventID 1 -Category 0 –Message "$text"
- }
- # NetBIOS-DomainName ermitteln
- $domain = (gwmi Win32_NTDomain).DomainName
- # Domain aus Usernamen entfernen
- $username = $username -replace "$domain\\"
- # IP anhand des Usernamens ermitteln.
- # IPv6 wird dabei ausgefiltert
- $IP = (get-WmiObject Win32_ServerSession | where-object {$_.UserName -eq "$username" -and $_.ComputerName -match "\."} | format-table ComputerName -AutoSize -HideTableHeaders | Out-String).Trim()
- $logmsg = "User: " + $username + "`r`n" + `
- "Domain: " + $domain + "`r`n" + `
- "IP: " + $IP + "`r`n" + `
- "Datei: " + $filename + "`r`n" + `
- "Server: " + $servername
- log($logmsg)
- # IP-Adresse an lokaler Firewall für SMB-Sharing blocken
- # (Die Firewall prüft nicht, ob es den anzulegenden Eintrag bereits gibt und erzeugt somit ggf. doppelte Einträge)
- if ($IP -ne "") {
- netsh advfirewall firewall add rule name="Block-Ransomware" dir=in action=block protocol=tcp localport=139 remoteip=$IP profile=any enable=yes
- netsh advfirewall firewall add rule name="Block-Ransomware" dir=in action=block protocol=tcp localport=445 remoteip=$IP profile=any enable=yes
- netsh advfirewall firewall add rule name="Block-Ransomware" dir=in action=block protocol=udp localport=137 remoteip=$IP profile=any enable=yes
- netsh advfirewall firewall add rule name="Block-Ransomware" dir=in action=block protocol=udp localport=138 remoteip=$IP profile=any enable=yes
- } else {
- $errormsg = "Fehler: Keine IP-Adresse gefunden"
- log($errormsg)
- Write-Host $errormsg
- exit 1
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
